Configure SSO for a team

SSO is available with Postman Enterprise plans.

Single sign-on (SSO) for a Postman team is configured by a Team Admin. To configure SSO for a team, add an authentication method, and then configure the identity provider (IdP) details.

To learn more about the user experience, see Signing in to an SSO team.

Configuring single sign-on

To begin adding an authentication method, do the following:

  1. Go to Team Settings, then select Authentication.

  2. Select Add Authentication Method.

  3. Select the authentication type.

  4. Enter an authentication name that's identifiable to your team.

  5. Select Continue to configure the IdP details.

    Authentication Method

    Always check with your authentication provider dashboard or your IT support staff for the correct information to configure SSO.

Configuring the IdP details

After adding the authentication method, you can configure the IdP details.

To configure the IdP details later, select Configure Later. When you're ready to continue configuring the IdP details, see Editing SSO settings.

In the Service provider details (Postman) section, the Entity ID, Login URL, and ACS URL are already populated.

Fill in the Identity provider details section. From your IdP account, enter your SSO URL, Identity provider issuer, and X.509 Certificate. Instead, you can upload a metadata file to configure the IdP details in one step.

To enter details in the Identity provider details section, you must sign in to your IdP account and get the details. Refer to the corresponding section of the documentation and follow the outlined procedure there:

Optionally, you can select the Automatically add new users checkbox if you want users to automatically join your team. The first time users sign in to Postman using this authentication method they will automatically join the team.

Editing SSO settings

After configuring the authentication method for your Postman team, you can select the Status toggle to turn it on or off. This is a team-level option, so this setting applies to the whole team.

To update the settings for an authentication method, select Edit, then select Continue.

To delete an authentication method, select Edit, then select Delete.

Creating user accounts

The first time a new Postman user signs in to Postman using the authentication method, a Postman account is created and the user is automatically added to the team if the following is true: the team has seats available and the Automatically add new users checkbox was selected during authentication method configuration.

The user will be automatically associated to the team with a Developer role and have access to team resources.

If the required conditions aren't met to automatically join the team, all Team Admins will receive your request to join the team.

Adding existing user accounts

The first time an existing Postman user signs in to Postman using the authentication method, the user is automatically added to the team if one of the following is true:

The user will be automatically associated to the team with a Developer role and have access to team resources.

If the required conditions aren't met to automatically join the team, all Team Admins will receive your request to join the team.

Automatically adding new users

The Automatically add new users checkbox in your authentication method determines whether users with accounts in your IdP can automatically join your team. Sign in to Postman using the authentication method to automatically join the team.

Automatically add new users will only work if your team has user seats available. Your team size won't automatically increase if more users sign in with SSO.

Managing team sign-ins

By default, Postman only supports Service Provider (Postman)-initiated sign-ins for Postman Enterprise teams. Your team must sign in to Postman using the authentication method. If you require users to sign in using an IdP-initiated sign-in from your SSO portal, you can generate and copy the Relay state from your authentication method, and then save it in your IdP configuration. This ensures an extra level of security when the sign-in process is initiated through a source unknown to Postman.

Removing team access

You must remove users from your team in Postman to prevent access to shared resources. When you remove a user from your team, you'll still retain access to any data they have shared with the team. You'll also be able to reassign their workspaces and the data within them to a remaining team member in some situations. To learn more, see Removing team members.

Signing and encryption certificates

As an extra level of security, Postman provides optional SAML signing and encryption certificates. These certificates aren't supported by all IdPs nor are they required in a typical Postman SAML SSO configuration. However, for teams with stricter security requirements, these certificates may be valuable options to implement.

Signing certificate

The signing certificate is an X.509 certificate used by Postman, the Service Provider (SP), to digitally sign SAML assertions sent to the Identity Provider (IdP). Signing ensures the authenticity and integrity of the SAML data by allowing the recipient (IdP) to verify that the message hasn't been tampered with and comes from the expected sender.

To enable the signing certificate, do the following:

  1. In Postman’s SAML SSO settings, select the Sign SAML Requests box.
  2. Download the public certificate from Postman.
  3. Upload the public certificate to your IdP, and select to require signature verification. For verification steps, refer to your IdP documentation.

Warning: If you configure your IdP to require signature validation, and then turn off SAML signing in Postman, you may break your SSO integration. The IdP will expect a signature but Postman won’t send it.

Encryption certificate

The encryption certificate is an X.509 certificate used by the IdP to encrypt the SAML assertions (such as user attributes). The recipient of the SAML response, Postman (the SP), uses a stored private key to decrypt the encrypted SAML response assertions. Encryption ensures that only the intended recipient can read the protected information, providing confidentiality during transmission.

To enable the encryption certificate, do the following:

  1. In Postman’s SAML SSO settings, download the encryption certificate.
  2. Upload the public certificate to your IdP for encrypting. For encryption steps, refer to your IdP documentation.

Troubleshooting SSO issues

Learn more about common SSO issues and how to troubleshoot them.

If you experience an error after signing in to Postman using SSO, see the following errors and possible solutions:

  • Your IdP returns a 404 error. Make sure the SSO URL is correctly copied from your IdP to your authentication method in Postman.
  • Postman returns a 500 error. Make sure the X.509 Certificate is correctly copied from your IdP to your authentication method in Postman.
  • Postman returns a 404 error. Make sure the values in the Service provider details (Postman) section are correctly copied from your authentication method in Postman to your IdP.
  • Postman returns a page explaining that the sign-in request expired. Make sure the Relay state is correctly copied from your authentication method in Postman to your IdP.

For more common SSO issues, see the following:

  • An email address isn't associated with your team members. In your IdP configuration settings, make sure the username format is set to Email.

Next steps

Now that you've set up SSO for your team, you might be interested in learning about how your team will interact with SSO and continuing on with SCIM (System for Cross-domain Identity Management) provisioning.

Last modified: 2024/07/24